CVE-2016-8782

Vulnerability

Huawei CloudEngine 12800 series switches running software versions V100R003C00, V100R003C10, V100R005C00, V100R005C10, and V100R006C00 are affected by a memory leak vulnerability. The flaw resides in the Label Distribution Protocol (LDP) processing module, which does not properly validate specific fields in received LDP packets. An unauthenticated attacker can exploit this weakness by sending specially crafted LDP packets repeatedly to the device. The improper validation causes the LDP module to allocate memory without releasing it, leading to memory exhaustion over time. [1]

Exploitation

The attacker does not require any authentication or prior access to the target device. They only need network connectivity to the affected switch to send a continuous stream of malformed LDP packets. By repeatedly sending these specially crafted packets, each iteration consumes additional memory without corresponding deallocation. Over time, this memory leak degrades system performance and may eventually cause the device to become unresponsive or crash. [1]

Impact

Successful exploitation results in memory resource exhaustion, leading to a denial of service (DoS) condition. Network services provided by the switch may be disrupted, potentially affecting network traffic forwarding and management operations. The vulnerability does not lead to information disclosure or data corruption; the primary impact is availability degradation. [1]

Mitigation

Huawei has addressed this vulnerability in CloudEngine 12800 version V200R001C00SPC700 and later releases. Affected customers should upgrade to the fixed version as referenced in the security advisory. [1]